Bug/sp 3974 missing GitHub packages

[agustingroh]

Summary by CodeRabbit

• New Features

  • Treat Git-style PURLs as Git packages and fall back to original PURLs when needed.

• Changed

  • Component version resolution is now concurrent for faster processing.
  • OSV lookups use improved repo-derived handling and fallback logic.
  • Dependency updates and cleanup (core models upgraded; several indirect deps removed).

• Tests

  • Added unit tests for repository URL derivation from PURLs.

• Documentation

  • Changelog updated with 0.9.0 entry and reference formatting.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds Git-hosted PURL handling with fallback for OSV lookups, factors OSV HTTP logic into a helper, introduces concurrent worker-pool component version resolution, upgrades go-models and adds go-purl-helper, updates changelog and tests.

Changes

Cohort / File(s)	Summary
Changelog CHANGELOG.md	Added Unreleased [0.9.0] entry (Git-hosted PURL -> GIT mapping, concurrent version resolution, go-models v0.3.0) and updated reference links; minor newline adjustments.
Go module / deps go.mod	Upgraded github.com/scanoss/go-models to v0.3.0, added github.com/scanoss/go-purl-helper v0.2.1, removed github.com/guseggert/pkggodev-client and several indirect deps.
OSV Use Case pkg/usecase/OSV_use_case.go, pkg/usecase/OSV_use_case_test.go	Added PURL parsing and getRepoURL; augmented OSVPackageRequest/OSVRequest with ecosystem and fallback fields; extracted OSV HTTP logic into queryOSV; transform logic now sets GIT ecosystem and fallback behavior; added TestGetRepoURL.
Vulnerability Use Case pkg/usecase/vulnerability_use_case.go	Introduced concurrent version-resolution worker pool (componentVersionWorker, getComponentsVersion) and replaced inline per-component resolution with pre-resolved processedComponents used for OSV/local lookups.

Sequence Diagrams

sequenceDiagram
    participant Client as Client
    participant Vuln as VulnerabilityUseCase
    participant Pool as WorkerPool
    participant SCANOSS as SCANOSS
    participant OSVService as OSVService

    Client->>Vuln: Execute(components)
    Vuln->>Pool: getComponentsVersion(components)
    loop concurrent workers
        Pool->>SCANOSS: query component version
        alt version resolved
            SCANOSS-->>Pool: resolved version
            Pool-->>Vuln: processed component
        else error/no match
            SCANOSS-->>Pool: no match / error
            Pool-->>Vuln: original component
        end
    end
    Vuln->>OSVService: vulnerability lookups using processedComponents
    OSVService-->>Vuln: results
    Vuln-->>Client: final vulnerabilities

Loading

sequenceDiagram
    participant Client as Client
    participant OSV as OSVUseCase
    participant PURL as PURLParser
    participant OSVService as OSVService

    Client->>OSV: Execute(components)
    OSV->>PURL: getRepoURL(originalPurl)
    alt repo URL found (Git)
        PURL-->>OSV: repoURL
        OSV->>OSVService: queryOSV(request with Ecosystem=GIT, repo URL)
        OSVService-->>OSV: vulnerabilities
        alt no results
            OSV->>OSVService: queryOSV(request with original PURL fallback)
            OSVService-->>OSV: vulnerabilities
        end
    else no repo URL
        PURL-->>OSV: nil
        OSV->>OSVService: queryOSV(request with original PURL)
        OSVService-->>OSV: vulnerabilities
    end
    OSV-->>Client: results (Purl set to OriginalPurl)

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Possibly related PRs

• chore:SP-3888 Implement multithreading support for the local vulnerab… #30: Similar worker-pool and concurrent vulnerability processing changes touching pkg/usecase/vulnerability_use_case.go.
• Feat/sp 3099 EPSS info #29: Overlaps on OSV use case refactor and PURL/worker logic modifications.

Suggested reviewers

• isasmendiagus
• eeisegn

Poem

🐰 I sniffed a PURL down a Gitty track,
I hopped with workers and brought versions back,
Queries danced and fallbacks took flight,
Results arrived tidy, glowing bright,
Hooray — a speedy review hop, light.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Bug/sp 3974 missing GitHub packages' directly addresses the pull request's primary objective—fixing missing GitHub package vulnerability detection through ecosystem-aware PURL handling and fallback mechanisms.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bug/SP-3974-missing-github-packages

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Fix all issues with AI agents

In `@go.mod`:
- Around line 17-18: The go.mod references github.com/scanoss/go-models v0.3.0
which does not exist; update the module line for github.com/scanoss/go-models to
the valid tag v0.2.0 (or confirm and set a newer existing tag if intended) and
then run go tooling to refresh modules (e.g., go get
github.com/scanoss/go-models@v0.2.0 && go mod tidy) to ensure go.sum and
dependencies are consistent; leave github.com/scanoss/go-purl-helper at v0.2.1
as-is unless you intentionally want to change it.

In `@pkg/usecase/OSV_use_case.go`:
- Around line 71-100: In getOSVRequestsFromDTO, the code builds a Git repo URL
from a parsed PURL without verifying purl.Namespace and purl.Name; add guards
after packageurl.FromString to ensure both purl.Namespace and purl.Name are
non-empty (and non-whitespace) before using gitHosts[purl.Type] to construct
repoURL and assign osvRequest.Package = OSVPackageRequest{Name: repoURL,
Ecosystem: "GIT"}; if either field is empty, skip the Git branch so the existing
fallback that sets osvRequest.Package = OSVPackageRequest{Purl: c.Purl} remains
used. Also ensure you reference the same symbols (packageurl.FromString,
gitHosts, osvRequest.Package, OSVPackageRequest) when making the change.

In `@pkg/usecase/vulnerability_use_case.go`:
- Around line 81-107: The getComponentsVersion function can end up with
numWorkers == 0 when config.Source.SCANOSS.MaxWorkers is 0, causing no workers
to spawn and results to be empty; fix this by enforcing at least one worker when
there are components to process (e.g., compute numWorkers using max(1,
min(us.config.Source.SCANOSS.MaxWorkers, numJobs)) or if numJobs>0 &&
numWorkers==0 set numWorkers=1) before starting the worker goroutines in
getComponentsVersion so workers are always spawned when components exist.

🧹 Nitpick comments (1)

pkg/usecase/vulnerability_use_case.go (1)

52-79: Consider emitting the original component on SCANOSS lookup errors.
Right now an error drops the component entirely, which can suppress vulnerability results for that input. If best‑effort behavior is desired, emit the original component before continuing.

♻️ Suggested fallback behavior

 		if err != nil {
 			us.s.Warnf("Failed to get component: %s, %s", j.Purl, j.Requirement)
-			continue
+			results <- processedComponent
+			continue
 		}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In `@pkg/usecase/OSV_use_case.go`:
- Around line 99-109: In getRepoURL, avoid using purl before checking
packageurl.FromString's error and eliminate the err shadowing; first call purl,
err := packageurl.FromString(purlString) and immediately return nil on non-nil
err, then access purl.Qualifiers.Map() to get repoURL; when calling
url.QueryUnescape(repoURL) use a differently named variable (e.g., decodedErr
for the error or reuse err after the earlier check) to prevent shadowing and
return nil on unescape error, otherwise return &decoded.

In `@pkg/usecase/vulnerability_use_case.go`:
- Around line 70-73: The worker loop in vulnerability_use_case.go currently logs
and continues when GetComponent returns an error (the block containing
us.s.Warnf("Failed to get component: %s, %s", j.Purl, j.Requirement)), which
skips sending to the results channel and causes processRequests to block waiting
for numJobs results; change the error path so it still sends a result for that
job (for example send the original job j or a result struct containing j with
the existing version/empty vulnerability info and the error flagged) to the
results channel instead of continue, ensuring GetComponent, the results channel,
and processRequests receive a result for every job to avoid deadlock.

🧹 Nitpick comments (1)

pkg/usecase/OSV_use_case_test.go (1)

72-87: Good test coverage, but context setup is unused.

The test provides excellent coverage of getRepoURL with various PURL formats. However, ctx (line 78) is created but never used since getRepoURL doesn't take a context parameter. Consider removing the unused setup for clarity.

♻️ Suggested simplification

 func TestGetRepoURL(t *testing.T) {
 	err := zlog.NewSugaredDevLogger()
 	if err != nil {
 		t.Fatalf("an error '%s' was not expected when opening a sugared logger", err)
 	}
 	defer zlog.SyncZap()
-	ctx := ctxzap.ToContext(context.Background(), zlog.L)
-	s := ctxzap.Extract(ctx).Sugar()
+	s := zlog.S

 	serverConfig, err := config.NewServerConfig(nil)

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@CHANGELOG.md`:
- Around line 12-16: The CHANGELOG entry "## [0.9.0] - 2026/02/02" is dated in
the future; move the three bullet items under an "[Unreleased]" header (or
change the header to "## [0.9.0] - Planned" / add "(planned)" after the date) so
the release notes aren't presented as already released; specifically update the
header line "## [0.9.0] - 2026/02/02" and ensure the three bullets about GitHub
PURLs, concurrent worker pool, and `/scanoss/go-models v0.3.0` remain under the
new "[Unreleased]" or clearly marked planned section.